The Economic Crime and Corporate Transparency Act (ECCTA), which received royal assent in October 2023, includes a new offence of ‘failure to prevent fraud’. Large organisations, including local authorities and charities, can soon be found criminally liable if their employees, agents, subsidiaries or other ‘associated persons’ commit fraud with the intention to benefit the organisation or their clients.
An organisation will have a defence if it can show that it had reasonable procedures to prevent fraud. In November 2024, the Government released statutory guidance on what constitutes reasonable procedures, and organisations now have until September 2025 to prepare before the new offence comes into force.
What should you consider?
The statutory guidance contains six principles to inform fraud prevention frameworks.
Top level commitment
Those charged with governance should foster an open culture in which fraud is never acceptable, through communication, leading by example, and clear governance of fraud prevention with appropriate training and resources.
Risk assessment
The organisation should identify risks of frauds in scope of the offence, and assess the extent of its exposure to them, including through considering the three elements of the fraud triangle: opportunity, motive, and rationalisation.
Proportionate risk-based prevention procedures
The organisation should prepare a fraud prevention plan which is proportionate to the risks identified in the risk assessment.
Due diligence
Organisations should apply proportionate due diligence procedures in respect of associated persons, to mitigate the fraud risks identified in the risk assessment. The guidance suggests this may include using screening tools and reviewing contracts with associated persons.
Communication (including training)
Communication should be used to ensure that the fraud prevention policies are understood and embedded throughout the
organisation and at all levels, including through training. Organisations will also be required to have an appropriate whistleblowing framework, which may be new in sectors where there isn’t a regulatory requirement, such as financial services.
Monitoring and review
The organisation should monitor and review its fraud prevention procedures and make improvements where necessary. This will include having in place arrangements to investigate attempted frauds.
Putting it into practice: identifying your next steps
The right approach to assessing your readiness for the ECCTA will depend on the specific needs of your organisation. That's why we recommend a phased approach that starts with an assessment of your current status.
Phase 1 – gap analysis and maturity assessment
Undertaking a gap analysis will enable you to compare the current state of your fraud risk protocols with the guidance on failure to prevent fraud, identifying key actions to support
compliance. Grant Thornton’s member firm in the US, together with the Association of Certified Fraud Examiners, have created an anti-fraud guide to help assess the maturity of current fraud prevention frameworks.
Phase 2 – develop your fraud risk management roadmap
Once you've assessed your current framework the next step is to develop your roadmap. For almost all organisations, this will include updating their fraud risk assessment to include the risks of frauds in scope of the offence, through workshops and desktop review of fraud control design. Testing the operational effectiveness of your fraud control and a detailed assessment of your fraud investigations framework may also be helpful options.
Most organisations already have some level of fraud risk management programme in place, but it may be a low priority. The ECCTA has pushed it much higher up the agenda, because failing to prevent fraud can now mean criminal prosecution. The key to ensuring you're in the best place is to start with an assessment of your current framework, and then move forward from there.
For more insight and guidance, get in touch with Emma Young or Will Morris.
